diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 18:32:41 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 18:32:44 +0000 |
| commit | 004d0ef00672e8445682235c4ef74fd9475bea24 (patch) | |
| tree | b1c20c40e8e6516091c7cf5d564a7aa4e2a2a247 | |
| parent | 0c738dd9b13c6276975e25440d03d4db660adcb1 (diff) | |
| download | gitlab-ce-004d0ef00672e8445682235c4ef74fd9475bea24.tar.gz | |
Add latest changes from gitlab-org/security/gitlab@15-9-stable-ee
14 files changed, 40 insertions, 27 deletions
diff --git a/app/models/integration.rb b/app/models/integration.rb index 8bef8b08c19..d3006f00ba1 100644 --- a/app/models/integration.rb +++ b/app/models/integration.rb @@ -510,7 +510,7 @@ class Integration < ApplicationRecord end def api_field_names - fields.reject { _1[:type] == 'password' }.pluck(:name) + fields.reject { _1[:type] == 'password' || _1[:name] == 'webhook' }.pluck(:name) end def form_fields diff --git a/app/models/integrations/datadog.rb b/app/models/integrations/datadog.rb index 80eecc14d0f..3b3c7d8f2cd 100644 --- a/app/models/integrations/datadog.rb +++ b/app/models/integrations/datadog.rb @@ -15,6 +15,7 @@ module Integrations TAG_KEY_VALUE_RE = %r{\A [\w-]+ : .*\S.* \z}x.freeze field :datadog_site, + exposes_secrets: true, placeholder: DEFAULT_DOMAIN, help: -> do ERB::Util.html_escape( diff --git a/config/initializers/rest-client-hostname_override.rb b/config/initializers/rest-client-hostname_override.rb index 2fb3b9fc27d..b647fe9cac8 100644 --- a/config/initializers/rest-client-hostname_override.rb +++ b/config/initializers/rest-client-hostname_override.rb @@ -14,7 +14,7 @@ module RestClient self.hostname_override = hostname_override rescue Gitlab::UrlBlocker::BlockedUrlError => e - raise ArgumentError, "URL '#{uri}' is blocked: #{e.message}" + raise ArgumentError, "URL is blocked: #{e.message}" end # Gitlab::UrlBlocker returns a Addressable::URI which we need to coerce diff --git a/doc/development/integrations/index.md b/doc/development/integrations/index.md index 9fd8fb7eb61..ceb64ba2bb7 100644 --- a/doc/development/integrations/index.md +++ b/doc/development/integrations/index.md @@ -249,6 +249,15 @@ To expose the integration in the [REST API](../../api/integrations.md): You can also refer to our [REST API style guide](../api_styleguide.md). +Sensitive fields are not exposed over the API. Sensitive fields are those fields that contain any of the following in their name: + +- `key` +- `passphrase` +- `password` +- `secret` +- `token` +- `webhook` + #### GraphQL API Integrations use the `Types::Projects::ServiceType` type by default, diff --git a/lib/gitlab/http_connection_adapter.rb b/lib/gitlab/http_connection_adapter.rb index 3ef60be67a9..c6f9f2df299 100644 --- a/lib/gitlab/http_connection_adapter.rb +++ b/lib/gitlab/http_connection_adapter.rb @@ -47,7 +47,7 @@ module Gitlab dns_rebind_protection: dns_rebind_protection?, schemes: %w[http https]) rescue Gitlab::UrlBlocker::BlockedUrlError => e - raise Gitlab::HTTP::BlockedUrlError, "URL '#{url}' is blocked: #{e.message}" + raise Gitlab::HTTP::BlockedUrlError, "URL is blocked: #{e.message}" end def allow_local_requests? diff --git a/spec/lib/gitlab/ci/config/external/file/remote_spec.rb b/spec/lib/gitlab/ci/config/external/file/remote_spec.rb index 2ce3c257a43..27f401db76e 100644 --- a/spec/lib/gitlab/ci/config/external/file/remote_spec.rb +++ b/spec/lib/gitlab/ci/config/external/file/remote_spec.rb @@ -184,7 +184,7 @@ RSpec.describe Gitlab::Ci::Config::External::File::Remote, feature_category: :pi let(:location) { 'http://127.0.0.1/some/path/to/config.yaml' } it 'includes details about blocked URL' do - expect(subject).to eq "Remote file could not be fetched because URL '#{location}' " \ + expect(subject).to eq "Remote file could not be fetched because URL " \ 'is blocked: Requests to localhost are not allowed!' end end diff --git a/spec/lib/gitlab/fogbugz_import/importer_spec.rb b/spec/lib/gitlab/fogbugz_import/importer_spec.rb index 9b58b772d1a..a4246809725 100644 --- a/spec/lib/gitlab/fogbugz_import/importer_spec.rb +++ b/spec/lib/gitlab/fogbugz_import/importer_spec.rb @@ -72,7 +72,7 @@ RSpec.describe Gitlab::FogbugzImport::Importer do expect { subject.execute } .to raise_error( ::Gitlab::HTTP::BlockedUrlError, - "URL 'https://localhost:3000/api.asp' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end end @@ -84,7 +84,7 @@ RSpec.describe Gitlab::FogbugzImport::Importer do expect { subject.execute } .to raise_error( ::Gitlab::HTTP::BlockedUrlError, - "URL 'http://192.168.0.1/api.asp' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end end diff --git a/spec/lib/gitlab/http_connection_adapter_spec.rb b/spec/lib/gitlab/http_connection_adapter_spec.rb index 5e2c6be8993..dbf0252da46 100644 --- a/spec/lib/gitlab/http_connection_adapter_spec.rb +++ b/spec/lib/gitlab/http_connection_adapter_spec.rb @@ -44,7 +44,7 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do it 'raises error' do expect { subject }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://172.16.0.0/12' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end @@ -67,7 +67,7 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do it 'raises error' do expect { subject }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://127.0.0.1' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end @@ -131,7 +131,7 @@ RSpec.describe Gitlab::HTTPConnectionAdapter do it 'raises error' do expect { subject }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'ssh://example.org' is blocked: Only allowed schemes are http, https" + "URL is blocked: Only allowed schemes are http, https" ) end end diff --git a/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb b/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb index b1bc6b7eeaf..3d9d6e1b96b 100644 --- a/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb +++ b/spec/lib/gitlab/import_export/remote_stream_upload_spec.rb @@ -88,7 +88,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do it 'raises error' do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://127.0.0.1/file.txt' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end @@ -114,7 +114,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do it 'raises error' do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://172.16.0.0/file.txt' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end @@ -142,7 +142,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://127.0.0.1/file.txt' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end @@ -168,7 +168,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do it 'raises error' do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://172.16.0.0/file.txt' is blocked: Requests to the local network are not allowed" + "URL is blocked: Requests to the local network are not allowed" ) end @@ -192,7 +192,7 @@ RSpec.describe Gitlab::ImportExport::RemoteStreamUpload do expect { subject.execute }.to raise_error( Gitlab::HTTP::BlockedUrlError, - "URL 'http://example.com/file.txt' is blocked: Requests to localhost are not allowed" + "URL is blocked: Requests to localhost are not allowed" ) end end diff --git a/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb b/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb index e3706a4b106..f09fa3548f8 100644 --- a/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb +++ b/spec/lib/gitlab/prometheus/queries/validate_query_spec.rb @@ -43,10 +43,7 @@ RSpec.describe Gitlab::Prometheus::Queries::ValidateQuery do context 'Gitlab::HTTP::BlockedUrlError' do let(:api_url) { 'http://192.168.1.1' } - let(:message) do - "URL 'http://192.168.1.1/api/v1/query?query=avg%28metric%29&time=#{Time.now.to_f}'" \ - " is blocked: Requests to the local network are not allowed" - end + let(:message) { "URL is blocked: Requests to the local network are not allowed" } before do stub_application_setting(allow_local_requests_from_web_hooks_and_services: false) diff --git a/spec/models/integration_spec.rb b/spec/models/integration_spec.rb index 7af96c7025a..a247881899f 100644 --- a/spec/models/integration_spec.rb +++ b/spec/models/integration_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Integration do +RSpec.describe Integration, feature_category: :integrations do using RSpec::Parameterized::TableSyntax let_it_be(:group) { create(:group) } @@ -854,6 +854,7 @@ RSpec.describe Integration do { name: 'api_key', type: 'password' }, { name: 'password', type: 'password' }, { name: 'password_field', type: 'password' }, + { name: 'webhook' }, { name: 'some_safe_field' }, { name: 'safe_field' }, { name: 'url' }, @@ -881,6 +882,7 @@ RSpec.describe Integration do field :api_key, type: 'password' field :password, type: 'password' field :password_field, type: 'password' + field :webhook field :some_safe_field field :safe_field field :url @@ -1092,6 +1094,8 @@ RSpec.describe Integration do field :bar, type: 'password' field :password + field :webhook + field :with_help, help: -> { 'help' } field :select, type: 'select' field :boolean, type: 'checkbox' @@ -1142,7 +1146,7 @@ RSpec.describe Integration do it 'registers fields in the fields list' do expect(integration.fields.pluck(:name)).to match_array %w[ - foo foo_p foo_dt bar password with_help select boolean + foo foo_p foo_dt bar password with_help select boolean webhook ] expect(integration.api_field_names).to match_array %w[ @@ -1157,6 +1161,7 @@ RSpec.describe Integration do have_attributes(name: 'foo_dt', type: 'text'), have_attributes(name: 'bar', type: 'password'), have_attributes(name: 'password', type: 'password'), + have_attributes(name: 'webhook', type: 'text'), have_attributes(name: 'with_help', help: 'help'), have_attributes(name: 'select', type: 'select'), have_attributes(name: 'boolean', type: 'checkbox') diff --git a/spec/models/integrations/datadog_spec.rb b/spec/models/integrations/datadog_spec.rb index 65ecd9bee83..2d1e23b103f 100644 --- a/spec/models/integrations/datadog_spec.rb +++ b/spec/models/integrations/datadog_spec.rb @@ -3,7 +3,7 @@ require 'securerandom' require 'spec_helper' -RSpec.describe Integrations::Datadog do +RSpec.describe Integrations::Datadog, feature_category: :integrations do let_it_be(:project) { create(:project) } let_it_be(:pipeline) { create(:ci_pipeline, project: project) } let_it_be(:build) { create(:ci_build, pipeline: pipeline) } diff --git a/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb b/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb index bf5158c9a92..2c92ef64815 100644 --- a/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb +++ b/spec/support/shared_contexts/features/integrations/integrations_shared_context.rb @@ -93,6 +93,7 @@ Integration.available_integration_names.each do |integration| def initialize_integration(integration, attrs = {}) record = project.find_or_initialize_integration(integration) + record.reset_updated_properties if integration == 'datadog' record.attributes = attrs record.properties = integration_attrs record.save! diff --git a/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb b/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb index 553e9f10b0d..cef76bd4356 100644 --- a/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb +++ b/spec/support/shared_examples/initializers/uses_gitlab_url_blocker_shared_examples.rb @@ -33,7 +33,7 @@ RSpec.shared_examples 'a request using Gitlab::UrlBlocker' do expect { make_request('https://example.com') } .to raise_error(url_blocked_error_class, - "URL 'https://example.com' is blocked: Requests to the local network are not allowed") + "URL is blocked: Requests to the local network are not allowed") end it 'raises error when it is a request that resolves to a localhost address' do @@ -41,19 +41,19 @@ RSpec.shared_examples 'a request using Gitlab::UrlBlocker' do expect { make_request('https://example.com') } .to raise_error(url_blocked_error_class, - "URL 'https://example.com' is blocked: Requests to localhost are not allowed") + "URL is blocked: Requests to localhost are not allowed") end it 'raises error when it is a request to local address' do expect { make_request('http://172.16.0.0') } .to raise_error(url_blocked_error_class, - "URL 'http://172.16.0.0' is blocked: Requests to the local network are not allowed") + "URL is blocked: Requests to the local network are not allowed") end it 'raises error when it is a request to localhost address' do expect { make_request('http://127.0.0.1') } .to raise_error(url_blocked_error_class, - "URL 'http://127.0.0.1' is blocked: Requests to localhost are not allowed") + "URL is blocked: Requests to localhost are not allowed") end end @@ -69,13 +69,13 @@ RSpec.shared_examples 'a request using Gitlab::UrlBlocker' do it 'raises error when it is a request to local address' do expect { make_request('https://172.16.0.0:8080') } .to raise_error(url_blocked_error_class, - "URL 'https://172.16.0.0:8080' is blocked: Requests to the local network are not allowed") + "URL is blocked: Requests to the local network are not allowed") end it 'raises error when it is a request to localhost address' do expect { make_request('https://127.0.0.1:8080') } .to raise_error(url_blocked_error_class, - "URL 'https://127.0.0.1:8080' is blocked: Requests to localhost are not allowed") + "URL is blocked: Requests to localhost are not allowed") end end |